Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Log Data Tampering: Windows File/Directory Auditing?

kholleran
Communicator
‎11-02-2010 07:02 PM

Hello,

I need to monitor the folders that the log files are in. I need to be able to show that no one is trying to directly access the log files and delete them. Is there a way to do this within Splunk? If not, I would like to set up Windows File Auditing on the database files in the directories and alert if the changes are made by anything other than the Splunk System. How can I specify in Windows EVERYONE but not Splunk (which is running as Local System I believe - was installed at the default user setting).

Thanks very much for your help.

Kevin

0 Karma
Reply

ftk
Motivator
‎11-02-2010 07:16 PM

You can set up SACLs (Auditing entries) in Windows, and do two auditing entries -- one for the EVERYONE group that logs any changes, and one for the splunk user that exempts the user from getting changes logged.

Reply

ftk
Motivator
‎11-03-2010 12:36 PM

It should exempt an account if you leave all boxes cleared, not 100% sure right now. IF that doesn't work, I would run Splunk as a separate user account, then modify permissions to only allow the splunk account to modify the logs and change permissions, then place auditing entries for EVERYONE that audit modify/delete and change permission failures as well as change permission successes to catch everybody but the splunk account tampering with the files.

0 Karma
Reply

kholleran
Communicator
‎11-02-2010 08:29 PM

How do you do an explicit do not audit? I see where you can turn it on and off but not an explicit "No auditing" that I could apply to Local System to override the Everyone built-in.

Thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...